Scanner Profiles

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

In Tenable Vulnerability Management, you can create scanner profiles to customize and manage the behavior of your linked Tenable Nessus scanners. A scanner profile allows you to configure a range of settings for a specific group of scanners.

You can use a profile to:

  • Assign a specific scanner version for testing or standardization purposes.

  • Control how and when scanners receive plugin updates.

  • Determine what plugins Tenable Vulnerability Management installs on linked scanners during the daily plugin update.

By assigning scanners to different profiles, you can apply distinct configurations to various segments of your environment, which provides granular control over scanner operations.

There are two types of scanner profile:

  • Default — The profile to which a scanner or scanner group belongs to unless you assign it to a custom profile. You cannot copy, delete, or edit the name and description of the Default profile.

  • Custom profiles — A custom profile that you create. Custom profiles allow you to associate and configure different scanners and scanner groups based on your business needs.

Note: You cannot set scanner profiles to versions earlier than 10.10.0. Scanner profiles do not affect scanners on versions earlier than 10.10.0.

To manage scanner profiles:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Above the linked scanners table, click Profiles.

    The Profiles page appears.

Use the following procedures to manage your scanner profiles:

Note: You cannot create a scanner profile for an end-of-life (EOL) Tenable Nessus version.

To create a scanner profile:

  1. On the Profiles page, click Add Scanner Profile.

    The Create Scanner Profile page appears.

  2. Configure the following settings for the scanner profile:

    Setting Required Default Description
    Name Yes n/a The scanner profile name.
    Description No n/a The scanner profile description.
    Scanner Version Yes None

    The version that scanners assigned to the profile are upgraded or downgraded to.

    You can set the scanner profile to stay on the latest major version release (for example, 10.x) or the latest minor version release (for example, 10.9.x), or you can set the scanner profile to a specific patch release (for example, 10.9.1).
    Disable Scanner Version Update Yes Disabled Determines whether Tenable Vulnerability Management prevents the scanners from receiving software updates. This setting overrides any scheduled freeze windows.
    Plugin Update Setting Yes Auto update to latest

    Determines what plugins Tenable Vulnerability Management installs on scanners during the daily plugin update. Choose from the following options:

    • Auto update to latest — (Default) Update scanners with the latest plugin set.

    • Delay plugin updates by days — Update scanners with a delayed plugin set. The plugin set can be delayed by a minimum of one day and a maximum of 30 days. If multiple plugin sets were published on the configured day, Tenable Vulnerability Management installs the latest set of that day.

    • Select plugin set from the last 30 days — Update scanners with a specific plugin set from the last 30 days. Tenable Vulnerability Management uses this plugin set until you choose another plugin set or update plan setting.

    Note: This setting only applies to scanners on version 10.10.0 and later.

    Note: If a scanner assigned to the scanner profile has a later plugin set version than the plugin set version offered by Plugin Update Setting, the scanner retains the newer set. In other words, you cannot use this setting to downgrade scanner plugin sets.

  3. Under Assign Scanners, select the checkboxes next to the scanners you want to assign.

  4. Click Create. The scanners’ versions update the next time they check in with Tenable Vulnerability Management, which can take up to 24 hours.

You can link a scanner to a profile by running the nessuscli managed link command and specifying the optional --profile-uuid argument. Use the following procedure to view a profile's --profile-uuid.

To view a scanner profile ID:

  1. On the Profiles page, double-click the scanner profile that you want to view the ID of.

    The Sensor Profile Details page appears.

  2. In the Details tab, view the --profile-uuid under Scanner Profile ID. You can click to copy the ID to your clipboard.

To edit a scanner profile:

  1. On the Profiles page, double-click the profile that you want to edit.

    The Sensor Profile Details page appears.

  2. Edit the scanner profile as needed:

    Setting Required Default Description
    Name Yes n/a The scanner profile name.
    Description No n/a The scanner profile description.
    Scanner Version Yes None

    The version that scanners assigned to the profile are upgraded or downgraded to.

    You can set the scanner profile to stay on the latest major version release (for example, 10.x) or the latest minor version release (for example, 10.9.x), or you can set the scanner profile to a specific patch release (for example, 10.9.1).
    Disable Scanner Version Update Yes Disabled Determines whether Tenable Vulnerability Management prevents the scanners from receiving software updates. This setting overrides any scheduled freeze windows.
    Plugin Update Setting Yes Auto update to latest

    Determines what plugins Tenable Vulnerability Management installs on scanners during the daily plugin update. Choose from the following options:

    • Auto update to latest — (Default) Update scanners with the latest plugin set.

    • Delay plugin updates by days — Update scanners with a delayed plugin set. The plugin set can be delayed by a minimum of one day and a maximum of 30 days. If multiple plugin sets were published on the configured day, Tenable Vulnerability Management installs the latest set of that day.

    • Select plugin set from the last 30 days — Update scanners with a specific plugin set from the last 30 days. Tenable Vulnerability Management uses this plugin set until you choose another plugin set or update plan setting.

    Note: This setting only applies to scanners on version 10.10.0 and later.

    Note: If a scanner assigned to the scanner profile has a later plugin set version than the plugin set version offered by Plugin Update Setting, the scanner retains the newer set. In other words, you cannot use this setting to downgrade scanner plugin sets.

  3. Click Save.

    Tenable Vulnerability Management saves your changes. The scanners’ versions update the next time they check in with Tenable Vulnerability Management, which can take up to 24 hours.

Copy a scanner profile to create a duplicate of the existing scanner profile. You can then use the duplicate to set up a new scanner profile.

To copy a scanner profile:

  1. On the Profiles page, click in the row of the profile that you want to copy.

    A menu appears.

  2. Click Copy.

    Tenable Vulnerability Management creates a new profile with "Copy of" appended to the profile name.

Delete a scanner profile if you no longer need the scanner profile. You cannot undo a scanner profile deletion.

To delete a scanner profile:

  1. On the Profiles page, click in the row of the profile that you want to delete.

    A menu appears.

  2. Click Delete.

    The Delete Nessus Scanner Profile window appears.

  3. Click Delete to confirm the deletion.

    Tenable Vulnerability Management deletes the scanner profile and removes all the linked scanners from the profile.

What to do next: